1. KEYS TO AUDIT – HKU: Settings that apply ONLY to the default user when a new user is created.
2. Note: The Current User Key (HKCU) cannot be set using a security template due to needing the users SID, but you
can set the auditing using a PowerShell script as the current logged on user run with administrator access.
THIS KEY ONLY: (none)
USERS.DEFAULT\Control Panel\Desktop
HKCU\Environment Changes to the enviro variables
HKCU\Control Panel\Desktop
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility
THIS KEY AND SUBKEYS: (containerinherit)
USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
USERS.DEFAULT\Software\Microsoft\Office\Outlook\Addins
USERS.DEFAULT\Software\Microsoft\Office\PowerPoint\Addins
USERS.DEFAULT\Software\Microsoft\Office\Word\Addins
USERS.DEFAULT\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKCU\Software \ALPS ALPs Touchpad
HKCU\Software\Classes\CLSID Watch for NEW Extensions New
HKCU\Software\Classes\exefile\shell\runas\command\isolatedCommand
HKCU\Software\Classes\mscfile\shell\open\command
HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings New
HKCU\Software\Policies\Microsoft\Windows\System\Scripts Logon/Logoff
HKCU\Software\Synaptics Synaptics Touchpad
HKCU\Software \Microsoft\CTF
HKCU\Software \Microsoft\MultiMedia
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths* If exists or create it
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls New
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant New
HKCU\Software\Microsoft\Office\14.0\Word 11.0,12.0,14.0,15.0
HKCU\Software\Microsoft\Office\Outlook\Addins
HKCU\Software\Microsoft\Office\PowerPoint\Addins
HKCU\Software\Microsoft\Office\Word\Addins
HKCU\Software\Microsoft\Office Test\ If exists or create it
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKCU\Software\Nico Mak Computing WinZip
HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}
HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\WinRAR WinRAR
Aug 2019 ver 2.5 MalwareArchaeology.com Page 5 of 9
WINDOWS REGISTRY AUDITING CHEAT SHEET – Win 7/Win 2008 or later
- KEYS TO AUDIT – HKLM: Settings that apply to the entire system and all users
THIS KEY ONLY: (none)
HKLM\Software\Microsoft\WBEM\CIMOM (noisy, but can detect WMI attacks)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
HKLM\System\CurrentControlSet\Control
HKLM\System\CurrentControlSet\Control\Lsa
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders\WDigest
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
HKLM\System\CurrentControlSet\Control\Terminal Server\AddIns Look for new addins
HKLM\System\CurrentControlSet\Services (Look for new entries) (Moved)
CONFIGURE::
THIS KEY AND ALL SUBKEYS: (containerinherit)
HKLM\Software\Classes*\ShellEx
HKLM\Software\Classes\AllFileSystemObjects\ShellEx
HKLM\Software\Classes\Directory\ShellEx
HKLM\Software\Classes\Folder\ShellEx
HKLM\Software\Classes\Protocols\Filter
HKLM\Software\Classes\Protocols\Handler
HKLM\Software\Classes\CLSID Watch for NEW Extensions New
HKLM\Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Classes\Htmlfile\Shell\Open\Command
HKLM\Software\Clients\Mail
HKLM\Software\Microsoft.NETFramework
HKLM\Software\Microsoft\Active Setup\Installed Components
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP Guid} NEW
HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP Guid} NEW
HKLM\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy{SIP Guid} NEW
HKLM\Software\Microsoft\Office\Outlook\Addins
HKLM\Software\Microsoft\Office\Excel\Addins
HKLM\Software\Microsoft\Office\PowerPoint\Addins
HKLM\Software\Microsoft\Office\Word\Addins
HKLM\Software\Microsoft\Terminal Server Client
HKLM\Software\Microsoft\VBA\Monitors
HKLM\Software\Microsoft\WBEM\ESS Look for new providers
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
Aug 2019 ver 2.5 MalwareArchaeology.com Page 6 of 9
WINDOWS REGISTRY AUDITING CHEAT SHEET – Win 7/Win 2008 or later
CONFIGURE: - KEYS TO AUDIT – HKLM: continued
THIS KEY AND ALL SUBKEYS: (containerinherit)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit Audit Command Line log settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options “Debugger” New
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows “Load” “AppInit_Dlls” New
HKLM\Software\Policies\Microsoft\Windows\System\Scripts Startup/Shutdown
HKLM\Software\Policies\Microsoft\PowerShell Audit PowerShell log settings
HKLM\System\CurrentControlSet\Control\CrashControl Watch for DumpFile changes New
HKLM\System\CurrentControlSet\Control\SafeBoot
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls (create key if it does not exist) New
HKLM\System\CurrentControlSet\Control\Print\Monitors
HKLM\System\CurrentControlSet\Control\NetworkProvider\Order
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\System\CurrentControlSet\services\NTDS
HKLM\System\CurrentControlSet\Services\RemoteAccess
HKLM\System\CurrentControlSet\Services\WinSock2
HKLM\System\CurrentControlSet\Services\SysmonDrv (If using Sysmon) New
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Print\Monitors
HKLM\System\CurrentControlSet\Control\NetworkProvider\Order
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
Aug 2019 ver 2.5 MalwareArchaeology.com Page 7 of 9
WINDOWS REGISTRY AUDITING CHEAT SHEET – Win 7/Win 2008 or later
CONFIGURE: - KEYS TO AUDIT – HKLM: continued
THIS KEY AND ALL SUBKEYS: (containerinherit)
HKLM\Software\Wow6432Node\Classes*\ShellEx
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx
HKLM\Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKLM\Software\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP Guid} NEW
HKLM\Software\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP Guid} NEW
HKLM\Software\ Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy{SIP Guid} NEW
HKLM\Software\Wow6432Node\Microsoft.NETFramework
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components
HKLM\Software\Wow6432Node\Microsoft\Office\Outlook\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Excel\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins
HKLM\Software\Wow6432Node\Microsoft\Office\Word\Addins
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\Software\ Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options “Debugger” New
EXCLUDE NOISY ITEMS: These keys will create events that do not provide much value. After setting auditing on the parent
key, remove auditing from these keys and any other keys you find overly noisy with little security benefit.
HKLM\SYSTEM\CurrentControlSet\services\Tcpip
HKLM\SYSTEM\CurrentControlSet\services\VSS
HKLM\SYSTEM\CurrentControlSet\services\Netlogon
HKLM\SYSTEM\CurrentControlSet\services\BITS
HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch
HKLM\SYSTEM\CurrentControlSet\services\Shared Access\Epoch2
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy New
HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters
Any other keys that produce a lot of log entries without significant security value.
MUICACHE: This key can provide some forensic details of things that execute on the system by user. Since it generates
very little log data, it is a good addition to audit.
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache
HKCR\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache
Aug 2019 ver 2.5 MalwareArchaeology.com Page 8 of 9
WINDOWS REGISTRY AUDITING CHEAT SHEET – Win 7/Win 2008 or later
CONFIGURE: - MONITORING ROOT CERTIFICATES: continued
The adding of root certificates can be malicious in nature, so monitoring the keys for additions is something worth doing,
though can be noisy, focus on the additions.
THIS KEY AND ALL SUBKEYS: (containerinherit)
HKCU\Software\Microsoft\SystemCertificates\Root\Certificates
HKCU\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
HKCU\Software\Microsoft\SystemCertificates\CA\Certificates
HKCU\Software\Policies\Microsoft\SystemCertificates\Root\Certificates
HKCU\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKCU\Software\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates
HKLM\Software\Microsoft\SystemCertificates\Root\Certificates
HKLM\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
HKLM\Software\Microsoft\SystemCertificates\CA\Certificates
HKLM\Software\Microsoft\EnterpriseCertificates\Root\Certificates
HKLM\Software\Microsoft\EnterpriseCertificates\CA\Certificates
HKLM\Software\Microsoft\EnterpriseCertificates\AuthRoot\Certificates
HKLM\Software\Policies\Microsoft\SystemCertificates\Root\Certificates
HKLM\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates
All subkeys for “set value”
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust
No responses yet